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Abstracting Asynchronous Multi- Valued Networks 


Jason STEGGLES! 


Abstract 


Multi-valued networks (MVNs) provide a simple yet expressive qual- 
itative state based modelling approach for biological systems. In this 
paper we develop an abstraction theory for asynchronous MVNs that 
allows the state space of a model to be reduced while preserving key 
properties. The abstraction theory therefore provides a mechanism 
for coping with the state space explosion problem and supports the 
analysis and comparison of MVNs. We take as our starting point 
the abstraction theory for synchronous MVNs which uses the under— 
approximation approach of trace set inclusion. We show this defini- 
tion of asynchronous abstraction allows the sound inference of analy- 
sis properties and preserves other interesting model properties. One 
problem that arises in the asynchronous case is that the trace set of 
an MVN can be infinite making a simple trace set inclusion check in- 
feasible. To address this we develop a decision procedure for checking 
asynchronous abstractions based on using the finite state graph of an 
asynchronous MVN to reason about its trace semantics and formally 
show that this decision procedure is correct. We illustrate the abstrac- 
tion techniques developed by considering two detailed case studies in 
which asynchronous abstractions are identified and validated for exist- 
ing asynchronous MVN models taken from the literature. 


Keywords: Multi-valued networks, abstraction techniques, biological 
modelling, qualitative modelling. 


1 Introduction 


Multi-valued networks (MVNs) (25, 34, 35] are an expressive qualitative 
modelling approach for biological systems (for example, see [35, 7, 28, 3]). 
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They extend the well-known Boolean network [17, 18] approach by allowing 
the state of each regulatory entity to be within a range of discrete values in- 
stead of just true or false. The state of each regulatory entity is influenced 
by other regulatory entities in the MVN and entities update their state 
using either a synchronous update strategy [18, 39] where all entities simul- 
taneously update their state, or an asynchronous update strategy [33, 15, 36] 
where entities update their state independently using a non-deterministic 
approach. 


While MVNs have shown their usefulness for modelling and under- 
standing biological systems further work is still needed to strengthen the 
techniques and tools available for MVNs. One interesting area that needs 
developing is a theory for abstracting MVNs. Abstraction techniques allow 
a simpler model to be identified which can then be used to provide insight 
into the more complex original model. Such techniques are well-known in 
the formal verification community as a means of coping with the complex- 
ity of formal models (see for example [9, 6, 10, 13]). The main motivation 
behind developing such a theory for MVNs can be summarised as follows: 


(1) The analysis of MVNs is limited by the well-known problem of state 
space explosion. Using abstraction allows analysis results about a model to 
be inferred from a simpler approximate model and so provides a means of 
coping with the state space explosion problem. 

(2) Often several MVNs are defined at different levels of abstraction when 
modelling a system. It is therefore important to be able to formally relate 
these models using an appropriate theory. 

(3) An abstraction theory would provide a basis for the step-wise refinement 
of MVNs. 

(4) Identifying an abstraction for a complex MVN provides a means of bet- 
ter visualising and understanding the behaviour an MVN, giving greater 
insight into the system being modelled. 


The abstraction theory we present for asynchronous MVNs is based on 
extending the synchronous abstraction theory presented in [5]. We formu- 
late a notion of what it means for an asynchronous MVN to be correctly 
abstracted by a simpler MVN with the same network structure but smaller 
state space. The idea is to use an abstraction mapping to relate the reduced 
state space of an abstraction to the original MVN. An abstraction is then 
said to be correct if its set of asynchronous traces is within the abstracted 
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traces of the original MVN. This definition of abstraction represents an 
under—approzimation [9, 24] approach since not all of the behaviour of the 
original MVN is guaranteed to have been captured within the abstraction. 
We show that this approach allows sound analysis inferences about positive 
reachability properties in the sense that any reachability result shown on an 
abstraction must hold on the original model. An important result of this 
is that it therefore follows that all attractors of an asynchronous abstrac- 
tion correspond to attractors in the original MVN. Note that an alternative 
approach commonly used in abstraction is to use an over—approximation 
(9, 24, 10] in which false positives may occur for reachability results. How- 
ever, such an approach appears to be problematic for MVNs and we discuss 
this further in Section 3. 


The non-deterministic nature of asynchronous MVNs mean that we 
encounter additional complications compared to the synchronous case; an 
asynchronous MVN can have an infinite set of traces which means that 
directly testing trace inclusion to check a proposed abstraction is infeasi- 
ble. We overcome these difficulties by constructing a decision procedure for 
checking asynchronous abstractions that is based on the underlying finite 
state graph of an MVN. We introduce the idea of step terms which are used 
to denote possible ways to use sets of concrete states to represent abstract 
states. The decision procedure starts with the set of all possible step terms 
and then iteratively prunes the set until either a consistent abstract repre- 
sentation has been found or the set of remaining step terms is too small to 
make it feasible to continue. We provide a detailed proof that shows the de- 
cision procedure correctly identifies asynchronous abstractions and discuss 
the complexity of the decision procedure. 


We illustrate the abstraction theory we develop by considering two de- 
tailed case studies in which asynchronous abstractions are identified for bio- 
logical MVN models taken from the literature. The first case study considers 
an MVN model of the regulatory network that controls the biosynthesis of 
tryptophan by the bacteria Escherichia coli (29, 27|. Tryptophan is essential 
for the development of E. coli and its resource intensive synthesis is carefully 
controlled to ensure its production only occurs when an external source is 
not available. We investigate identifying asynchronous abstractions for an 
existing MVN model of this regulatory mechanism which was developed in 
[30]. The second case study considers a model for the genetic regulatory 
network controlling the lysis-lysogeny switch in the bacteriophage A [32, 7]. 
Bacteriophage  [34, 23] is a virus which after infecting the bacteria E. coli 
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makes a decision to switch to one of two possible reproductive phases: in 
the lytic cycle the virus generates as many new viral particles as the infected 
cell’s resources allow and then lyse the cell wall to release the new phage; 
in the lysogenic cycle the 4 DNA integrates into the host DNA providing 
it with immunity from other phages and allowing it to be replicated with 
each cell division. We consider identifying asynchronous abstractions for a 
four entity MVN model [32] of the lysis-lysogeny switching mechanism. 
The paper is organized as follows. In Section 2 we provide a brief 
overview of the MVN framework and present a simple illustrative example. 
In Section 3 we formulate a notion of abstraction for asynchronous MVNs 
and consider the analysis properties that can be inferred from an abstrac- 
tion. In Section 4 we present a decision procedure for checking asynchronous 
abstractions and provide a detailed proof of correctness for this procedure. 
In Section 5 we illustrate the theory and techniques developed by present- 
ing two case studies that consider identifying asynchronous abstractions for 
MVN models taken from the biological modelling literature. Finally, in 
Section 6 we present some concluding remarks and discuss related work. 


2 Multi-valued Network Models 


In this section, we introduce multi-valued networks (MVNs) [25, 34, 35], a 
qualitative modelling approach which extends the well-known Boolean net- 
work [17, 18] approach by allowing the state of each regulatory entity to be 
within a range of discrete values. MVNs can therefore discriminate between 
the strengths of different activated interactions, something which Boolean 
networks are unable to capture. MVNs have been extensively studied in cir- 
cuit design (for example, see [25, 20]) and successfully applied to modelling 
biological systems (for example, see [35, 7, 28, 3]). 

An MVN consists of a set of logically linked entities G = {g1,..., 9x} 
which regulate each other in a positive or negative way. Each entity g; in an 
MVN has an associated set of discrete states Y(g;) = {0,...,m}, for some 
m,; > 1, from which its current state is taken. Note that a Boolean network 
is therefore simply an MVN in which each entity g; has a Boolean set of 
states Y(g;) = {0,1}. Each entity g; also has a neighbourhood N(g;) = 
{Ji1+++++Giy,,} Which is the set of all entities that can directly affect its 
state. A given entity g; may or may not be a member of N(g;) and any 
entity in which N(g;) = {} is taken to be an input entity whose regulation 
is outside the current model. The behaviour of each entity g; based on 
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these neighbourhood interactions is formally defined by a logical next-state 
function f,, which calculates the next-state of g; given the current states of 
the entities in its neighbourhood. 


We can define an MVN more formally as follows. 


Definition 1. An MVN MVis a four-tuple MV = (G,Y, N, F’) where: 
i) G= {g1,..-, gx} is a non-empty, finite set of entities; 

ii) Y = (Y(g1),---,¥(ge)) is a tuple of state sets, where each Y(g;) = 
{0,...,m}, for some m,; > 1, is the state space for entity g;; 

iii) N = (N(q1),.-., N(gg)) is a tuple of neighbourhoods, such that N(g;) C 
G is the neighbourhood of g;; and 

iv) F = (fo,,--+5 fo,) is a tuple of next-state multi-valued functions, such 
that if N(gi) = {9:,,---,9:,} then the function fj, : Y(gi,) x +--+ Y (gin) 7 
Y(g;) defines the next state of g;. 


Consider the following simple example PL2 of an MVN defined in Fig- 
ure 1 which models the core regulatory mechanism for the lysis—lysogeny 
switch [34, 23] in the bacteriophage \ (this model is taken from [32]). It 
consists of two entities CI and Cro, defined with neighbourhoods N(CT) = 
{CI, Cro} and N(Cro) = {CT, Cro}, and state spaces Y(CT) = {0,1} and 
Y(Cro) = {0,1,2}. The next-state functions for each entity are defined 
using the state transition tables presented in Figure 1.(b) (where [g;] is used 
to denote the next state of entity g;). We can summarise the interactions 
as follows: entity Cro inhibits the expression of CT and at higher levels of 
expression, also inhibits itself; entity C7 inhibits the expression of Cro while 


Interactions CI Cro [CT] [Cro] 
—,+ Activation 0 0 1 1 
— Inhibition 0 1 ;|0 2 
0 2 0) 1 
1 0 1 0 
ca eo fi} 
1 2 0 1 

(a) Network structure (b) State transition tables 


Figure 1: The MVN model PL2 of the core regulatory mechanism for the 
lysis-lysogeny switch in bacteriophage A (taken from [32]). 
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promoting its own expression. (Note we say A inhibits B if A acts to reduce 
the state of B, and A promotes B if A acts to increase the state of B.) 

An MVN is said to satisfy the unit state step assumption [34] if every 
entity increases/decreases its state in unit steps of +1 . We note that the 
assumption of unit state steps is often made in the literature when using 
MVNs (for example, see [8]). We avoid making this explicit assumption in 
Definition 1 since it is not required for the theoretical results we develop. 
However, in Section 3 we show that our notion of abstraction preserves the 
unit state step assumption (see Theorem 12). 

In the sequel, let MV = (G,Y, N, F) be an arbitrary MVN. In a slight 
abuse of notation we let g; © MV represent that g; € G is an entity in MV. 

A global state of an MVN MV with k entities is represented by a tuple 
of states (s1,..., 8%), where s; € Y(g;) represents the state of entity g; € MV. 
As a notational convenience we often use s; ... 5; to represent a global state 
(s1,.--, 8%). When the current state of an MVN is clear from the context 
we let g; denote both the name of an entity and its corresponding current 
state. The global state space of an MVN MV, denoted Syyv, is the set of all 
possible global states Sywy = Y(g1) x --- x Y (gp). 

The state of an MVN can be updated either synchronously (see {18, 39]), 
where the state of all entities is updated simultaneously in a single update 
step, or asynchronously? (see [33, 15]), where entities update their state 
independently. We define these update strategies more formally as follows: 


Definition 2. 

1) Synchronous Update: Given two states $1, 52 € Syy, we let $1 a So 
represent a synchronous update step such that So is the state that results 
from simultaneously updating the state of each entity g; using its next-state 
function f,, and the appropriate states from Sj as indicated by the neigh- 
bourhood N(g;). 


2) Asynchronous Update: For any g; € MV and any state S € Syy we 
let [S]% denote the global state that results by updating the state of g; in 
S using f,,. Define the global state function nert“Y : Suy > P(Smv) on 
any state S € Syy by 


neat!’ (S) = {[S]% | g: € MV and [S]% 4 S$} 


?Note that different variations of the asynchronous semantics have been considered in 
the literature (see for example [26]) but that we focus on the one most commonly used 
for MVNs. 
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7 A 
Given a state S; € Sy and S_ € next! ($1), we let Sj oY G5 represent 
an asynchronous update step. 


Note that given the above definition, only asynchronous update steps 
that result in a change in the current state are considered (see [15]). 
Continuing with our example, consider the global state 12 for PL2 (see 


Figure 1) in which CY has state 1 and Cro has state 2. Then 12 EV 01 4s 
a single synchronous update step on this state resulting in the new state 11. 


Considering an asynchronous update, we have next“’(12) = {02, 11} and 


A A : 
12 —% 02 and 12 —s 11 are valid asynchronous update steps. 


The sequence of update steps from an initial global state through Syyy 
is called a trace. In the case of the synchronous update semantics such 
traces are deterministic and infinite. Given that the global state space is 
finite, this implies that a synchronous trace must eventually enter a cycle, 
known formally as an attractor cycle [18, 35]. 


Definition 3. A synchronous trace o is a list of global states 0 = 
(So, $1, S2,...), where S; "4" S:44, for i> 0. 


The set of all synchronous traces, denoted Tr°(MV), therefore com- 
pletely characterizes the behaviour of an MVN model under the synchronous 
semantics and is referred to as the synchronous trace semantics of MV. Note 
that we have one synchronous trace for each possible initial state and so the 
set of synchronous traces is always finite (see [18, 39]). 

In the asynchronous case, traces are non-deterministic and can be fi- 
nite or infinite. A single initial state can have an infinite number of possible 
asynchronous traces starting from it and thus in the asynchronous case there 
can be infinite number of traces. 


Definition 4. An asynchronous trace o is either: 
i) a finite sequence of global states 0 = (So, S1,..., Sn), where S; a Seis 
for i =0,...,n—1, and next’(S,,) = {}. 

ii) an infinite sequence of global states 0 = (So, 5 ,S2,...), where S$; a 
Si41, for i > 0. 


The set of all asynchronous traces, denoted Tr4(MV), therefore com- 
pletely characterizes the behaviour of an MVN model under the asynchronous 
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Figure 2: The (a) synchronous and (b) asynchronous state graphs for PL2. 


semantics and is referred to as the asynchronous trace semantics of MV. Any 
state S € Sy which cannot be asynchronously updated, i.e. next!Y(S) = 
{}, is referred to as a point attractor [34]. 

In our running example, PL2 has a state space of size |Spz2| = 6 and 
has the following (finite in this case) set of asynchronous traces: 


(00,01, 02,01,02,...) (11,01, 02, 01, 02,...) 
(00, 10) (11, 10) 

(01, 02, 01, 02,...) (12,02, 01, 02, 01,...) 
(02, 01,02, 01,...) (12, 11,01, 02, 01,...) 
(10) (12, 11, 10) 


From the above traces it is clear that state 10 is a point attractor for PL2. 

The behaviour of an MVN under the synchronous or asynchronous 
trace semantics can be represented by a state graph (for example, see [36]) 
in which the nodes are the global states and the edges are precisely the 


update steps allowed. We let SG°(MV) = (Suv, aL and SG4(MV) = 


(Suv, als denote the corresponding state graphs under the synchronous 
and asynchronous trace semantics. 

The synchronous and asynchronous state graphs for PL2 are presented 
in Figure 2. 

When analysing the behaviour of an MVN it is important to consider 
its attractors which can represent important biological phenomena, such 
as different cellular types like proliferation, apoptosis and differentiation 
[16]. In the synchronous case all traces are infinite and so must lead to a 
cyclic sequence of states which are taken as an attractor [18, 35, 39]. As 
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an example, consider PL2 (see Figure 2.(a)) which has the point attractor 


10 — 10; and attractors 00 2% 11 24s 00 and 01 = 02 2% 01 of 


period 2. In the asynchronous case we have point attractors which are states 
that cannot be updated and also the strongly connected components? in an 
MVN’s asynchronous state graph are considered to be attractors [36]. Again, 


considering PL2 (see Figure 2.(b)) we can see that in the asynchronous case 


A A 
it has a point attractor 10 and an attractor 01 =, 02 —* 01. 


3 Asynchronous Abstractions 


In this section we consider developing a notion of abstraction for asyn- 
chronous MVNs. The idea is to formulate what it means for an MVN to 
be correctly abstracted by a simpler MVN with the same network structure 
but smaller state space. We take as our starting point the abstraction tech- 
niques developed for synchronous MVNs [5] and investigate extending these 
to the asynchronous case. We show that our approach allows sound analysis 
inferences about positive reachability properties and that all attractors of 
an asynchronous abstraction correspond to attractors in the original MVN. 

We begin by recalling the notion of a state mapping and abstraction 
mapping [5] used to reduce an entity’s state space. 


Definition 5. Let MV be an MVN and let g; € MV be an entity such 
that Y(g;) = {0,...,m} for some m > 1. Then a state mapping $(g;) for 
entity g; is a surjective mapping ¢(g;) : {0,...,m}— {0,...,n}, where 
0<n<m. 


The state mapping must be surjective to ensure that all states in the 
new reduced state space are used. From a biological viewpoint it may also 
be reasonable to further restrict the state mappings considered, for example, 
only considering those mappings which are order-preserving. Note we only 
consider state mappings with a codomain larger than one, since a singular 
state entity does not appear to be of biological interest. 

As an example, consider entity Cro € PL2 (see Figure 1) which has 
the state space Y(Cro) = {0,1,2}. It is only meaningful to simplify Cro to 
a Boolean entity and so there are two possible state mappings of interest to 


3A strongly connected component of a graph is a maximal set of nodes such that every 
node is reachable from each other in the set [36]. 
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achieve this: 


(Cro) = {00,111,261}, ¢'(Cro) = {050,1H0,2 1}. 


In the examples that follow we choose to use the first state map (Cro) 
which maps state 0 to 0 and merges states 1 and 2 into a single state 1. 

In order to be able to simplify several entities at the same time during 
the abstraction process we introduce the notion of a family of state map- 


pings. 


Definition 6. Let MV = (G,Y,N,F) be an MVN with entities G = 
{g1,---,9¢}. Then an abstraction mapping ¢ = (¢(g1),---,P(gx)) for MV 
is a family of mappings such that for each 1 <i < k we have ¢(g;) is either 
a state mapping for entity g; or is the identity mapping I,, : Y(g:) > Y(g:) 
where Ig,(s) = s, for all s € Y(g;). Furthermore, for ¢@ to be useful we 
normally insist that at least one of the mappings ¢(g;) is a state mapping. 


Note in the sequel given a state mapping ¢(g;) we let it denote both 
itself and the corresponding abstraction mapping containing only the single 
state mapping (gi). 

An abstraction mapping ¢ can be used to abstract an asynchronous 
trace (see Definition 4) using a similar approach to that detailed for syn- 
chronous traces [5]. We begin by defining how an abstraction mapping can 
be lifted to a global state. 


Definition 7. Let ¢ = (¢(g1)...¢(gx)) be an abstraction mapping for 
MV. Then @ can be used to abstract a global state s,...s8, € Syv by ap- 


plying it pointwise, i.e. (51... 5%) = 6(91)(s1)--- (gk) (Sk). 


We can apply an abstraction mapping @ to an asynchronous trace 
ae Tr4(M V) by applying ¢ to each global state in the trace in the obvi- 
ous way and then merging consecutive identical states. Note that removing 
consecutive identical states is needed to ensure abstracted traces are well- 
defined since by the definition of an asynchronous trace (see Definition 4) 
each asynchronous update rule must result in a new global state (i.e. the 
state of an entity has to change in order for a state transition to occur). 


Definition 8. Let ¢ = (¢(g1)...¢(gx)) be an abstraction mapping for 
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MV and let o € Tr4(MV) be either a finite o = (So,.91,...,S5n) or infinite 
ao = (So, $1, .S2,...) asynchronous trace. Then ¢(c) is the abstracted trace 
that results by 


i) First apply the abstraction mapping to each state in o, i.e. in the finite 
case (¢(So), 6(S1),..-,@(Sn)) or in the infinite case (¢(.59), 6(:$1), d(S2),...). 
ii) Next merge consecutive identical global states in the trace into a sin- 
gle global state to ensure that no two consecutive states are identical in 
the resulting abstracted trace, i.e. suppose the result is an infinite trace 
(b(So0), 6(S1), 6(S2),...) then we know $(5;) 4 $(Si41), for alli EN. 


We let o(Tr4(MV)) = {¢(c) | o € Tr4(MV)} denote the set of ab- 
stracted traces. 

As an example, consider applying the abstraction mapping ¢(Cro) = 
{0+ 0,11 1,2+5 1} to the PL2 asynchronous trace (00,01, 02,01, 02,...). 
Part i) of Definition 8 above results in the trace (00,01,01,01,01,...); we 
now merge identical consecutive states to derive the abstracted trace (00, 01). 
It is interesting to note that abstracting an infinite trace can result in a finite 
abstracted trace, as above. The intuition here is that a cyclic set of states 
have been abstracted to a single point. The complete set of abstracted 
asynchronous traces of PL2 using ¢(Cro) are given below: 


(Cro)((00,01,02,01,02,...)) = (00,01) 
( Cro)((00, 10)) = (00,10) 
o(Cro)((01, 02, 01, 02,...)) = (01) 

o( Cro)((02, 01,02, 01,...)) = (01) 

(Cro) ((10)) = (10) 

o(Cro)((11,01,02,01,02,...)) = (11,01) 
o( Cro)((11, 10)) = (11,10) 
o(Cro)((12,02,01,02,01,...)) = (11,01) 
o(Cro)((12,11,01,02,01,...)) = (11,01) 
o( Cro)((12, 11, 10)) = (11,10) 


The definition of an asynchronous abstraction is based on its trace se- 
mantics and follows along similar lines to that for the synchronous case [5]. 
We say an asynchronous abstraction is correct if its set of traces is within 
the abstracted traces of the original MVN. This definition of abstraction 
represents an under—approximation [9, 24] approach since not all of the be- 
haviour of the original MVN is guaranteed to have been captured within 
the abstraction (we discuss the implications of this below). 
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Definition 9. Let MV, = (G1, Yi, M1, Fi) and MV = (G2, Yo, No, Fo) 
be two MVNs with the same structure, i.e. Gj = G2 and Ni(g;) = No(gi), 
for all g; € MV,. Let @ be an abstraction mapping from MV2 to MV. 
Then we say that MV, asynchronously abstracts MV2 under ¢, denoted 
MV, <% MVo, if, and only if, Tr4(MVi) C ¢(Tr4(MV2)). 


As an abstraction example, consider the MVN APL2 defined in Figure 
3 which has the same structure as PL2 (see Figure 1) but is a Boolean model. 
Then given the abstraction mapping ¢(Cro) = {0 + 0,115 1,2 + 1} we 


CI Cro |[CT] [Cro] | 

Oe Dh |iote at (00,01) (10) a 

: ; : : (00,10) (11,01) OGNa 
We 2 | 20 6 pe (9) 


Figure 3: State transition tables defining APL2, the associated asyn- 
chronous trace semantics Tr4(APL2) and asynchronous state graph. 


can see that Tr4(APL2) C ¢(Cro)(Tr4(PL2)) holds and so APL2 is an 
abstraction of PL2, i. APL2 ior) PL2 holds. Note that APL2 has 
two point attractors: 01 and 10 which correspond to the two attractors 
associated with PL2 (see Figure 2.(b)) and thus, APL2 can bee seen to be 
a good approximation of the behaviour of PL2. 

Recall that one of the original motivations for developing an abstraction 
theory was to aid the analysis of complex MVNs. It is therefore important 
to consider what properties of an asynchronous MVN can be inferred from 
an abstraction MVN. We consider reachability and the existence of attrac- 


tors since these are the main properties that are considered when analysing 
an MVN. 


Theorem 10. Let MV, <i MV, and let 51,52 € Syy,. If Se is reach- 
able from 5S; in MV, then there must exist states S{,55 € Siy, such that 
($1) = $1, (S$) = Se, and S$ is reachable from Sj in MV2. 


Proof. Since S$ is reachable from S$, there must exist a trace 0 € Tr4(MV,) 
which begins with state S; and which contains state Sy. From Definition 
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9, we know that Tr4(MV\) C ¢(Tr4(MV2)) must hold. Therefore there 
must exist a trace a’ € Tr4(MV2) such that ¢(o’) = o. From this it is 
straightforward to see that there must exist the required states Sj and 5} 
in o’ such that ¢($}) = $1, (S$) = S2, and S% is reachable from S$}. 


The above theorem indicates that inferring reachability properties from 
an abstraction is sound but not complete [13]. The implications of this can 
be summarised as follows: (i) If one state is reachable from another in 
an abstraction then a corresponding reachability property must hold in the 
original model; (ii) However, if one state is not reachable from another in an 
abstraction then a corresponding reachability property in the original MVN 
may or may not hold and more analysis will be required. This relates to 
the fact that our notion of abstraction represents an under—approximation 
[9, 24] of the original model. The alternative approach would be to use an 
over—approzimation abstraction model [9, 24, 10] in which false positives can 
arise and need to be dealt with. It turns out that an over—approximation 
approach is not well suited to our goal of finding an abstraction model of an 
MVN that is itself a well-defined MVN. To illustrate the potential problems, 
consider what happens if a point attractor is identified to a non—attractor 
state by an abstraction mapping. In this case no over—approximation ab- 
straction can exist since such an MVN would need to contain a state that 
was both a point attractor and also had a successor state. Thus the approach 
taken here of using an under—approximation appears to be the appropriate 
approach to use. 


A consequence of the above reachability result is that all attractors in 
an abstraction must have corresponding attractors in the original MVN. 


Corollary 11. If MV, as, MVz then all attractors of MV, must repre- 
sent attractors in MV». 


Proof. Follows directly from the definition of an asynchronous attractor 
and Theorem 10. 


It is interesting to consider what other properties of MVNs are pre- 
served by abstractions. The result below shows that our notion of asyn- 
chronous abstraction preserves the unit state step assumption that is often 
placed on MVNs [34, 8]. 
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Theorem 12. Let MV; and MV2 be two MVNs with the same structure 
and let MV. satisfy the unit state step assumption. Let ¢ be an abstraction 
mapping from MV2 to MV, which is order preserving (i.e. for any g; € MV2 
and any states s1, 52 € Y(g;) (in MV2), if 5; < s2 then $(g;)(s1) < (g;)(s2)). 
If MV; <i MvV2 then MV, must satisfy the unit state step assumption. 


Proof. If MV. satisfies the unit state step assumption then it is clear 
the state steps in every trace 0 € Tr4(MV2) must also satisfy this property. 
Since ¢ is order preserving it follows by Definition 8 that every abstracted 
trace $(0) € ¢(Tr4(MV2)) must satisfy this property. Now by assumption 
and Definition 9 we know Tr4(MV,) C ¢(Tr4(MV2)). Thus, Tr4(MV1) 
and therefore MV, must satisfy the unit state step assumption. 


We conclude this section by discussing the problem of searching for 
possible abstractions for an MVN. Searching for abstractions is problematic 
due to the large number of potential models that need to be considered. For 
example, consider trying to find an abstraction with k entities each of which 
has n states. If we did this using a brute force approach then we would have 
to consider (n™")k possible candidate models. In [5] an approach for limiting 
this search space for synchronous abstractions was proposed and we show 
that this approach can also be applied in the asynchronous case. 

The key idea is to apply an abstraction mapping to the original MVN 
to produce a set of potential abstraction models [5]. 


Definition 13. Let ¢ = (¢(g1),.-.,¢(gx)) be an abstraction mapping 
for an MVN MV. For each entity g; € MV we can abstract the next-state 
function fy, : Y(gi,)X--:*Y (gin) + Y (gi) to a (possibly) non-deterministic 
next-state function 


(fg: ) : O(Gi1 )(Y (Gir) X +++ X P(Gin UY (Gin )) + O(g94)(Y (94) 


by applying ¢ to its definition, i. e. let 5; € o(gi;)(Y(gi;)), for j =1,...,n, 
then we define ¢(fg,)(1,.-.,5n) by the set 


{6(fo.(815--->8n)) | 85 © ¥ (giz), 6(91;)(8)) = 83, for j=1,...,n} 


We say that the MVN MV4 results from applying ¢ to MV iff: 
(1) MV4 has the same entities and neighbourhood structure as MV; 
(2) The state space of each entity g; € MV“ is the set $(g;)(Y (g)); 
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(3) For each gj € MV" its next-state function 


MV: b(g2,)(V (gis)) x «+ X (Gin OY (Gin)) > H(9:)(¥ (gi) 


is a deterministic restriction of ¢(fg,). 
We define ¢(MYV) to be the set of all such MVNs, i.e. 


o( MV) = {MvA | MV4 results from applying ¢ to MV} 


We can show that any asynchronous abstraction for an MVN MV un- 
der ¢ must be a member of the set of potential abstractions ¢(MV). 


Theorem 14. If MV; <% MV2 then MV; € ¢(MV2). 


Proof. Suppose for a contradiction that MV; ¢ ¢(MV2). Then there 
must exist at least one entity g; € MV2 such that the next-state function 
a > Y(gi,) X ++: x Y(gi,) + ¥(gi) for g; in MV; is inconsistent with 
o(fiM), i. e. for some 1 € Y(gi,),---,5n © Y(gi,,) we have 


LP (Sigh 2585) E Be Gees) 


Given the above, it is clear there must exist a trace o € Tr4(MVj) which 


contains a state step based on the update f!@""(s1,...,8,) and therefore 


Gi 
o € ¢(Tr4(MV2)). However, this contradicts the assumption MV; af MV2 
since by Definition 9 we have Tr4(MV,) C 6(Tr4(MV2)). 


4 A Decision Procedure for Abstractions 


Having formulated a definition of an asynchronous abstraction in the pre- 
vious section we are now interested in defining a procedure for checking 
whether a proposed abstraction MV, is an asynchronous abstraction of an 
MVN MV. In the synchronous case the approach taken was to simply 
check that each trace 0 € Tr°(MV1) was contained within the set of ab- 
stracted traces ¢(Tr°(MV2)). However, in the asynchronous case both sets 
of traces Tr4(MV,) and ¢(Tr4(MV2)) may be infinite and so such a simple 
set inclusion check is not feasible. Instead we propose a decision procedure 
based on using the finite state graph that summarise the behaviour of an 
asynchronous MVN. The idea is to consider all sets of states and associated 
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edges that can be used to model an abstract state. We then iterate through 
these removing those state sets which can not be represented given the cur- 
rent allowable state sets. If at any point we no longer have any state sets 
remaining for a particular abstract state then we have shown the abstraction 
is not valid and we terminate the decision procedure. If, on the other hand, 
we reach a point at which no more state sets can be removed then we know 
the abstraction must be valid and we can again terminate the procedure. 

In the sequel let MV; and MV2 be MVNs with the same structure and 
let @ be an abstraction mapping from MV2 to MV,. 

In order to define a decision procedure checkAsynAbs(MV,,MV2,¢) 
for checking if MV, is an asynchronous abstraction under ¢ of MV2 we be- 
gin by formulating some preliminary concepts. 


i) Representing abstract states: Let S € Syy, then we define 
g*(8) = {8'| 8’ € Suv, $(S') = S} 
to be the set of all states in MV 2 that can represent the abstract state S. 


ii) Set of identical consecutive states: For any state S’ € Syyy. we define 
the set [$’]® of all consecutive reachable states from S$’ that have the same 
abstract state ¢(S’). Define [S$]? = Usea lo where [S$’]? is defined recur- 
sively: [sg = {S’} and 


[S121 = {55 | Si [S]?, Sh € next™¥2(S1), $(S") = 9(54)}. 


We now define the notion of a step term, an expression which is used 
to represent one possible way to model an abstract state and its next state 
connections using a set of concrete states. A step term has the form 
[S : IT: D(S),...,D(Sm)] where S is the abstract state being modelled 
and I is a set of concrete states abstracting to S which are being used by 
the step term to model S. For each abstract next state S; reachable from 
S the set of concrete states D(S;) is included in the step term; it contains 
all those concrete next states reachable from I’ that abstract to $;. (For an 
illustrative example of a step term see Figure 6.) Such step terms will form 
the basis of our decision procedure and are more formally defined as follows. 


Definition 15. Let S € Syy, and suppose next””1(S) = {51,...,. Sm}. 
Then for each non-empty set of states I C ¢~!(S) we define the step term 
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st(S,T) by 
si(S;P) =|(S:I 2 D(S1)s..; DS), 


where D(S;) = {85 | Si ET, S$ € neat™Y2((S1]%), d($5) = S;}, and 
next’? has been lifted from taking a single state as input to taking a set 
of states in the obvious way. Note that the use of [5/]? is needed in the above 
definition to take account of the merging of consecutive identical states that 
occurs in abstracted traces (see part ii) in Definition 8). 
We say a step term [S: IT: D(S1),...,D(Sm)] is valid iff: 

i) the states [ used in a step term have the appropriate connections, i.e. 
D(S;) + {}, for ¢= 122+,ms and 

ii) if nextM@Y1(S) = {} (ie. S is a point attractor in SG4(MV,)) then for 
each S’ €T either: a) there must exist S” € [S”]? such that next”Y2(9"”) = 
{}: or b) there exists states in [S’]® which form a cycle in SG4(MV2). 


For any S' € Sy, we let Step(S) denote the set of all valid step terms 
Step(S) = {st($,P) | C@1(S), st(S,P) is valid}. 


Observe that each valid step term st(S,[) € Step(.S) must correctly 
model in MV2 the connections between S € Syyy, and its corresponding 
next states neat’"1($) in MVj. 

The proposed decision procedure is presented in Figure 4. It works by 
creating a family C = (C(S) C Step(S) | S € Syuyv,) of sets of all valid step 
terms. It then repeatedly looks at each set of step terms C(S), for each 
abstract state S € Siyy,, removing those that have next states that are not 
currently represented in the remaining stored step terms of C. The Boolean 
function not Represented(S;, D(S;),C) used below is defined to be true if, 
and only if, there does not exist a step term st(S;,T;) € C(S;) such that 
Dec DS3): 

To illustrate how the above decision procedure works we consider apply- 
ing it to a simple example where we check whether a proposed abstraction 
MV, does correctly abstract an MVN MV. For simplicity, we use an ab- 
stract description of the behaviour of MV, and MV. which is defined by 
the state graphs depicted in Figure 5, where Al, A2,... represent concrete 
global states and A,B,... represent abstract global states. Suppose we have 
an abstraction mapping ¢ that maps global states in MV2 to abstract global 
states in MV, in the obvious way, ie. ¢(Ai) = A, ¢(Bi) = B, (Cl) =C, 
and ¢(D1) = D. Applying the initialization phase of the decision procedure 
results in the set of step terms given in the left column of the table in Figure 
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Algorithm checkAsynAbs(MV,,MV2,¢): 


/** Initialise valid step terms **/ 
for each S€ Syy, do C(S):= Step(S) 
/** Iteratively check sets of step terms **/ 
repeat 
done :=true 
for each S€ Syy, do 
for each [S:IT’: D(S}),...,D(Sm)] € C(S) do 
for 7:= 1 to m do 
if notRepresented(S;, D(S;),C) then 
C(S):= C(S) —{[S :T : D(S1),..-,;D(Sm)]} 
done :=false 
if C(S)={} then return false 
until (done) 
return true 


Figure 4: Decision procedure for checking asynchronous abstractions 
MV, <4 MV». 


6 (where the step terms for global states C and D have been omitted since 
they are point attractors and therefore cannot be removed). The decision 
procedure then executes the main outer loop three times, as depicted in Fig- 


Cl 
Oe Oa) 
OG 
a © 
(a) State graph for MV2 (b) State graph for abstraction MV; 


Figure 5: Abstract state graphs used to illustrate the decision procedure. 
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ure 6, each time removing those step terms that have next states that are 
not represented in the current set of step terms. At the end of these three 
iterations two consistent step terms remain and so the decision procedure 
terminates, returning true to indicate that MV is a correct asynchronous 
abstraction of MV5. 


Step Terms Iter 1 Iter 2 Iter 3 
[A: {Al}: {B1}, {C1}] Okay Remove 

[A : {A2} : {B2}, {C2}] Remove 

[A : {Al, A2} : {B1, B2}, {C1, C2}] Okay Okay Okay 
[B: {Bl}: {A2},{D1}] Remove 

[B: {B1, B2}: {Al1, A2}, {D1}] Okay Okay Okay 


Figure 6: Table illustrating how the decision procedure for asynchronous 
abstractions would process the state graphs given in Figure 5. 


The decision procedure given in Figure 4 is clearly inefficient and we 
now investigate this further by deriving a worst case performance bound. 
Assume MV, is a Boolean model which has n entities (the size of its state 
space is therefore 2”). The worst case occurs when MV, is not an asyn- 
chronous abstraction of MV2. We let & denote the upper bound on the 
number of states in MV. that can be abstracted to a single state in MV, 
ie. k > |b -1(S)|, for all S € Siyy,. This value is important as it bounds 
the number of step terms, i.e. each abstract state can have at most 2" step 
terms and the total number of step terms possible is 2” x 2* = 2"+*, The 
value & is calculated from the abstraction mapping being used and cannot 
be directly calculated from the size of concrete and abstract state spaces 
(to see this, note that we can increase the size of the concrete state space 
without affecting k). However, multiplying the size of the abstract state 
space by & clearly gives an upper bound on the size of the concrete state 
space. 

The decision procedure begins with an initialisation phase in which all 
the valid step terms are constructed. This has performance O(2"** x nk): 
we have 2”** potential step terms to consider; and for each one, we have 
to calculate the connection sets D(S;) and check its validity, all of which 
requires O(nk) work. 

The main part of the decision procedure consists of three nested for 
loops which have a worst case performance of O(2" x 2* x n), where: 2” is 
the size of the abstract state space; 2" is an upper bound on the number of 
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potential step terms for an abstract state; and n represents the maximum 
number of states that can be connected to a given state. For each of these 
iterations we apply the function notRepresented which has performance 
O(2* x n), giving an overall peformance of O(2"*?* x n?). Finally, we have 
the outer repeat until loop which iterates until one of the step term sets is 
empty. It therefore has a worst case performance of O(2"+*). Combining 
this with the performance given above for the three nested loops gives an 
overall worst case performance of O(2?"+3* x n?) for the decision procedure. 


The above worst case performance is clearly very poor and means that 
in the worst case, the cost of checking an abstraction could be more than 
the cost of directly model checking the concrete state space. However, it 
is important to remember that the above is the worst case performance. 
In practice the decision procedure should perform much better than this, 
removing many more than one step term during each main iteration and 
terminating much sooner if the check is successful. The above has so far 
proved to be the case for the practical examples considered (e.g. the de- 
cision procedure worked well for both positive and negative checks made 
for the abstraction examples considered in Section 5). It is also important 
to remember that facilitating model checking was only one of the motiva- 
tions for developing an abstraction theory. The other motivations discussed 
in the introduction (see Section 1) mean that having a decision procedure, 
however inefficient, is still worthwhile. 


It remains to show formally that the above decision procedure correctly 
identifies asynchronous abstractions. We begin by showing that the decision 
procedure always terminate. 


Theorem 16. The decision procedure checkAsynAbs(MV,,MV2,¢@) al- 
ways terminates. 


Proof. This follows from that fact we can only ever begin with a finite 
family of finite sets of step terms, that no step terms can ever be added, 
and that we must remove at least on step term in order to continue to 
the next iteration. Therefore the algorithm either terminates when no step 
terms are removed or continues to iterate until we reach a point where one 
set C(S) of step terms is empty, again resulting in termination of the algo- 
rithm. 


Let [S : IT: D(S1),...,D(Sm)] be a valid step term, let a, € TI and 
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az € D(S;), for some 1 <i < m. Then note that due to the way consecutive 


; : F ; A : 

identical states are treated it may not directly hold that a, =", ay since 
A A A 

ag € nextMY2([a1]%). We let ay = ay LG oe ce SS ah. for 


ay € [a1]®, for 1 < 7 < r represent the sequence of identical abstracted 


A : 
states needed such that ay ead a does hold in MVo. 
The following lemma considers how step terms can be chained together 
and it is needed to prove the main correctness result below. 


Lemma 17. Let C = (C(S) C Step(S) | S € Syy,) be a family of 
sets of valid step terms such that: 

i) For each S € Syy, we have C(S) # {}; 

ii) The family C is closed under step terms, i.e. for each S € Syyy, and 
[S: IT: D(S1),...,D(Sm)] € C(S) there exists, for each 1 < i < m, a step 
term st(.$;,0;) € C(S;) such that [; C D(S}). 


A A ; . 
Then every path* y = Bee ees Yp in the abstraction state graph 


: A A 
SG4(MYV,) must have a corresponding path a = a; pas a Ce 


in the original state graph SG4(MV2) such that ¢(a) = 7. 


Proof. 

A A 
Let y=71 Ses Yp be a path in the state graph SGA(MV\). Then 
by assumptions i) and ii) it is straightforward to see there must exist a (not 
necessarily unique) chain of step terms 


[yi Te:...,D(y41),--.]€ Cova), st(yp, Tp) € Clvp) 


for 1 <i < p, such that for 7 = 2,...,p we have I; C D(4;). 


We now prove that for any a, € I, there must exist a; € Tj, for 


: __ A A A é . 
l<ic<p, such that a = a7 — --. “4% aq —% ay is a path in 


SG4(MV2) with ¢(a) = y. We prove this using induction on p € N, p > 2 
as follows. 


1) Induction Base. Let p = 2 and suppose we have a path 7 Biel ya. 
Then we know there must exist step terms [71 :T'1:...,D(72),-..] € C(m) 
and st(y2,T2) € C(y2) such that Tz C D(42) (as explained above). Clearly 


“We note that a path differs from a trace in that a trace represents a complete run of 
an MVN whereas a path is simply a walk through an MVN’s state graph. 
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by the definition of step terms we know that for any ag € Ig there must 


. A 
exist a, € Ty such that az ene. a2 and 
_ Asy Asy 
(ay —> az) = y1 —> 72. 


2) Induction Step. Let p = q+1, for some q € N, q > 2. Suppose we have 


A A A 7 
a path y= 71 SES ea Yq zs Yqt1. Then we know there must exist 


step terms 


We PE ie De yee © CO)y. Stygead genre Coen), 


for i = 1,...,q such that T; C D(y;), for j = 1,...,q¢ +1 (as explained 
above). Then by the induction hypothesis we know for each ag € I’, there 


: : __A A A 
must exist a; € Tj, for 1 <i <q, such that a7 a aera Qq—1 = Qg 
? ‘ : A A A A 
is a path in SG4(MV2) with d(ay —> --- —s Ogi — Q) = Vi = 


A ti : 
Gyn Yq. By the definition of step terms it follows that for any ag+1 € 


: A Sas 2 ; 
Ij41 there must exist a, € Py such that a7 = Qg41. Combining this with 
the induction hypothesis given above shows the existence of the required 
path in SG4(MV32). 


It now remains to show that checkAsynAbs(MV,,MV2,@) correctly 
acts as a decision procedure for asynchronous abstractions. 


Theorem 18.  checkAsynAbs(MV,,MV2,) returns true if, and only 
if, MV; <1 MV». 


Proof. 

Part 1) => Suppose checkAsynAbs(MV,,MV2,¢) returns true. By inspect- 
ing the decision procedure we can see this means that a family {C(S) C 
Step(S) | S € Syy,} of non-empty sets of valid step terms must have 
been found which is closed under step terms. Consider any abstract trace 
o € Tr4(MVj); then by Lemma 17 and since any trace can be interpreted as 
a path in SG4(MV;,) we have that there must exist a path a in SG4(MV2) 
such that ¢(a) = o. It is straightforward to see that a@ must be a well-— 
defined trace for MV, i.e. a € Tr4(MV2), by the definition of valid step 
term. This shows that Tr4(MV,) C ¢(Tr4(MVz2)) and so by Definition 9 
we have MV; <% MV». 
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Part 2) <= Suppose MV; <i MV, then by Definition 9 we know 
Tr4(MV) C o(Tr4(MV2)) (1) 


Then we show that there must exist a non-empty family of sets of valid step 
terms which are closed under step term inclusion and thus that the decision 
procedure checkAsynAbs(MV,,MV2,¢) must terminate returning true. 

Let X CT r4(M V2) be the set of traces that abstractly correspond to 
Tr4(MV}): 


X ={o'|o' €Tr4(MV2), Jo € Tr4(MV,).¢(0’) = o} 


For each S' € Syyy,, let X(S) denote the set of all states that abstract to $ 
which occur at the start of a trace in X: 


X(8) = {o"(1) | o" EX, o(o"(1)) = S} 


where o’(1) represents the first state of trace o’. 
Let next™”1(S) = {91,..., 5m}, then using Definition 15 we can define 
the step term 


st(S,X(S)) = [S 2X(S)s DGS) ..<-3 DSi) | 


Clearly, st(S,X(S)) must be valid by (1) above. We can now recursively 
define a set of step terms closed under step term inclusion from st(S,X (S)) 
as follows. Define H(X(S)) = Uje~ H(X(S))i, where H(X(S)); is defined 
recursively: H(X(S))o = {st(S, X(S))} and 


A(X(S) igi = {st(Vj, D(Vj) O X(V5)) | 
[V :T: D(Vi),---,D(V,)] € H(X(S))i, Vj © {Vi,..-, Ve He 


Clearly, the set H(X(S)) is closed under step term inclusion by construc- 
tion. It can also be shown that H(X(S)) only contains valid step terms 
(the proof makes use of fact 1) above and is based on using induction on 
i € N to show all step terms in H(X(S)); are valid). It therefore follows 
that for each S € Syy, we know that each step term st(.$;,T) € H(X(S)) 
must occur in the initial family C of sets of step terms used in the decision 
procedure, i.e. st(.S;,) € C(S;). Since none of these step terms can be re- 
moved from C' by the closure property it follows that the decision procedure 
checkAsynAbs(MV,,MV2,) must terminate returning true. 
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5 Case Studies 


In this section we illustrate the techniques we have developed by presenting 
two detailed case studies. Each case study takes an existing biologically 
inspired MVN from the literature and considers identifying asynchronous 
abstractions using the decision procedure presented in Section 4. 


5.1 Regulation of Tryptophan Biosynthesis in E. coli 


Tryptophan is an amino acid which is essential for the development of E. coli. 
However, the synthesis of tryptophan is resource intensive and for this reason 
is carefully controlled to ensure it is only synthesised when no external 
source is available. The regulatory network that controls the biosynthesis of 
tryptophan by E. coli has been extensively studied (see for example [29, 27]). 


TrpE TrpExt Trp ||Trp| 
(ripe) TrpR 0 0 0,1 0 
. 0 0 2 1 
0 i. Oi) 4 
2 0 2 0 1 
0 2 12 | 2 
1 0,1 0,1,2 1 
(Tr) 1 2 0 1 
1 2 12 | 2 
Trp TrpR || TrpE] 

Trp |[TrpB] | 0 0 1 

011 0 0 1 0 

2 1 12 01 | 0 


Figure 7; An MVN model MTRP of the regulatory mechanism for the 
biosynthesis of tryptophan in EF. coli (from [30]). The state transition table 
for TrpExt has been omitted as this is a simple input entity. Note that the 
state transition tables use a shorthand notation where an entity is allowed 
to be in any of the states listed for it in a particular row. 


Consider the MVN model MTRP for tryptophan biosynthesis presented 
in Figure 7 which is taken from [30]. It consists of four regulatory entities: 
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TrpE — a Boolean input entity indicating the presence of the activated en- 
zyme required for synthesising tryptophan; TrpR — a Boolean entity indi- 
cating if the repressor gene for tryptophan production is active; TrpExt — 
a ternary entity indicating the level of tryptophan in the external medium; 
and Trp —a ternary entity indicating the level of tryptophan within the bac- 
teria. Note the above entity order is used when displaying global states for 
MTRP. We can see from the model that the presence of tryptophan in the 
external medium TrpExt directly affects the level of tryptophan within the 
bacteria Trp and that the activated enzyme TrpE is required to synthesise 
tryptophan. The presence of tryptophan within the bacteria deactivates the 
enzyme 7rpE and at higher-levels also activates the repressor TrpR which 
then acts to inhibit the production of the enzyme TrpE. 

The state space for MTRP consists of 36 global states and for this 
reason we do not reproduce its state graph here. Instead we simply note 
that the asynchronous state graph for MTRP comprises three disjoint graphs 

Asy Asy Asy 


based on the following three attractors: 0000 —> 1000 —> 1001 —> 


0001 = 0000; 0011; and 0122. To identify abstractions for MTRP we 


begin by defining appropriate state mappings for the non-Boolean entities 
TrpExt and Trp as follows: 


o(Trp) = {060,161,261}, o(TrpEct) = {06 0,1H1,2 1}. 
These can then be combined into an abstraction mapping 
b = (Ltrpr, Ltrpr, O( TrpExt), 6( Trp). 


Following the approach discussed in Section 3 (see Theorem 14) we 
first apply this abstraction mapping to MTRP to produce a set ¢(MTRP) 
of candidate abstraction models. By analysing ¢(MTRP) we are able to es- 
tablish that there are 8 possible candidate abstraction models (we have 
4 choices for next-state of TrpR and 2 choices for Trp). After investi- 
gating these candidate models we were able to identify one valid asyn- 
chronous abstraction ATRP (which is presented in Figure 8) for MTRP 
under @ using the decision procedure checkAsynAbs(ATRP, MTRP, ¢). 
Note that since Tr4(ATRP) and ¢(Tr4(MTRP)) are finite trace sets in 
this case we were able to verify the result ATRP <I MTRP, by checking 
that Tr4(ATRP) C ¢(Tr4(MTRP)) holds. 
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Trp || TrpR| 
01 0 
TrpE TrpExt Trp || Trp] | Trp TrpR || TrpE 
0 0 0,1 0 0 0 1 
0 t 2044/4 0 1 0 
1 01 O1] 1 1 ol] 0 


Figure 8: The asynchronous abstraction ATRP identified for MTRP under 
the state mappings ¢( Trp) = {04 0,16 1,2+5 1} and $(TrpExt) = {0H 
0,11 1,2 1}. 


The state graph for ATRP consists of two disjoint graphs and has two 


attractors: 0000 “*% 1000 “* 1001 4% 0001 48% 0000; and 0011. It 
therefore successfully captures two of the three attractors present in MTRP. 


5.2 The Lysis—Lysogeny Switch in Bacteriophage \ 


The temperate bacteriophage is a virus which infects the bacteria E. coli 
[34, 23]. Once the bacteriophage X has infected a cell it chooses between 
two very different methods of reproduction, known as the lytic and lysogenic 
cycles [34]. In most cases, \ enters the lytic cycle; it generates as many new 
viral particles as the host cell resources allow before producing an enzyme to 
lyse the cell wall and release the new phage into the environment. However, 
A may choose to integrate its DNA into the host DNA and enter the lysogenic 
cycle. If this occurs, then the genes expressed in the A DNA synthesize 
a repressor which blocks expression of other phage genes including those 
involved in its own excision, thus providing the cell with immunity from 
further infection. The phage is able to lie dormant, replicating with each 
subsequent cell division of the host but may at a later date enter the lytic 
cycle. 

The core regulatory model PL2 presented in Figure 1 (taken from [32]) 
was based on the cross-regulation between two regulatory genes, CI (the 
repressor gene) and Cro. This was extended in [32] by adding two further 
regulatory genes, CIT and N. The result is a four entity MVN model PLZ, 
presented in Figure 9, which contains two entities with non-Boolean state 
spaces, namely CT with states {0,...,2} and Cro with states {0,...,3}. 
The MVN PLZ consists of 48 global states and its asynchronous behaviour 
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results in an infinite set of traces. It has one point attractor 2000 (where a 
global state has the order CI Cro CII N) which corresponds to the lysogenic 


cycle and a range of cyclic attractors, the most important one of which is 


0200 ae, 0300, corresponding to the lytic cycle. 


We begin by looking to abstract the non-Boolean entities CI and Cro 
by defining appropriate state mappings. After considering the model, we 
define the following state mappings 


O(CT) = {0H 0,1H 1,21}, (Cro) = {060,151,256 1,34 1}, 


which form the abstraction mapping ¢ = (¢(CT), (Cro), Ioz, Inv). Again, 


CI Cro N \{CII] 

01,2 012,30] 0 

0 O12 14] 1 

0 3 1 0 

1 0,1,2 1 1 

1 3 1 0 

2 01,23 11] 0 

CI Cro CI |[CT| CI Cro |[Cro] 

0 oO Olt] oi oO | & 

0 1,23 01 | 0 01 1) 2 

Cr Oro IN) | 1 O O12] 2 01 2 | 3 
0. oO1 |1 1 1,23 01 | 0 01,2 3 | 2 
0 23 10 2 0 ol] 2 2 O11) 0 
1,2 0,1,2,3 | 0 2 123 01/1 2 2/1 


Figure 9: An extended MVN model PL4 of the control mechanism for the 
lysis-lysogeny switch in bacteriophage A (taken from [32]). 


we begin by restricting our search space for abstractions by first applying 
this abstraction mapping to PL4. This results in the set ¢(PLZ4) which con- 
tains 256 possible candidate abstraction models (we have 4 choices for CT, 
4 choices for Cro, 8 choices for CIT, and 2 choices for N). By investigating 
these candidate models and applying the decision procedure checkAsynAbs 
we were able to identify two abstractions for PL4 under ¢. The abstractions, 
APL4, <1% PL4 and APL4y <1 PL4, are presented in Figure 10. These ab- 
stractions have been carefully validated by hand, as have the other candidate 


276 J. Steggles 


models considered that were correctly identified as not being abstractions. 
Interestingly, both abstractions appear to capture the key behaviour of PL4 
in the sense that both contain the point attractors 1000 and 0100 which 
correspond to the two attractors presented above for PL4. 


CI Cro |[N] CI Cro |[Cro} 

0 off i. oO. of 

0 1 0 1 0 0 

1 01/0 1 141 

CI Cro N| [CI] 

CI Cro CII |[CT] 0,1 O01 O 0 
6 oO O41] 4 0 Oo 1 1 
0 1 0,1 0 0 1 1/1 or O 
1 oO o1f1 1 Oo 1 0 
1 1 0,1 0 1 1 1 1 


Figure 10: The transition tables for the two abstractions APL4, and APL4, 
identified for PLZZ under ¢, where all the transition tables are the same 
except for CIT where 011 — 1 for abstraction APL4, but 011 — 0 for 
abstraction APL 45. 


6 Conclusions 


In this paper we have developed an abstraction theory for asynchronous 
MVNs by extending the ideas developed for synchronous MVNs [5] based 
on trace set inclusion. In particular, we defined what it means for an MVN 
to be correctly abstracted by a simpler MVN with the same network struc- 
ture but smaller state space. The abstraction approach used is based on 
an under—approximation approach [9, 24] in which an abstraction captures 
a subset of the behaviour of the original MVN. We showed that this ap- 
proach allows positive reachability properties of an MVN to be inferred 
from a corresponding asynchronous abstraction and that all attractors of 
an asynchronous abstraction correspond to attractors in the original MVN. 
An alternative approach would be to use an over—approximation approach 
(9, 24, 10] in which false positive reachability results can arise. However, the 
construction of an abstraction model which over—approximates an MVN’s 
behaviour appears to be problematic if we wish to remain within the MVN 
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framework (see Section 3 for a discussion of this). 


Directly checking asynchronous abstractions turned out to be problem- 
atic since an asynchronous MVN may have an infinite set of traces making it 
infeasible to carry out a simple trace inclusion check. To address this we de- 
veloped a decision procedure for checking asynchronous abstractions based 
on using the finite state graph of an asynchronous MVN. We introduced the 
notion of step terms to denote possible ways to use sets of concrete states 
to represent abstract states. The decision procedure worked by iteratively 
pruning the set of step terms until either a consistent abstract represen- 
tation has been found or the set of remaining step terms is too small to 
make it feasible to continue. Importantly, we provided a detailed proof of 
correctness for the decision procedure. 


Note that as it stands, the decision procedure is inefficient and we 
derived a worst case complexity of O(22"+3* x n?). This poor worst case 
behaviour means that the cost of checking an abstraction could be more 
than the cost of directly model checking the concrete state space. However, 
it is important to remember that in practice the decision procedure should 
perform much better than this worst case. Indeed, practical experience 
so far has shown this to be the case; for example, the decision procedure 
worked well for all the positive and negative checks made for the abstraction 
examples considered in Section 5. It is also important to remember that fa- 
cilitating model checking was only one of the motivations for developing an 
asynchronous abstraction theory. Other important motivations (see Section 
1) included: formally relating MVN models at different levels of abstraction; 
aiding the visualisation and comprehension of an MVN; and providing the 
basis for a refinement theory. The above motivations mean that having 
a formally proved correct decision procedure, however inefficient, is still a 
substantial step forward. Work is now on going to refine the decision proce- 
dure and to efficiently implement it as part of a tool for MVN abstraction 
checking. Such a tool will provide the support needed to carry out more 
complex case studies, for example supporting the work currently underway 
to investigate abstractions for the relatively complex MVN model of the 
carbon starvation response in E. coli presented in [3]. 


We illustrated the abstraction theory and techniques developed by con- 
sidering two detailed case studies based on identifying Boolean abstractions 
for existing asynchronous MVN models of biological systems. The abstrac- 
tions found in both cases proved to faithfully represent the behaviour of the 
original MVNs and in particular, captured key attractors known to exist in 
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the original MVNs. The case studies illustrate the potential for the abstrac- 
tion theory presented and in particular, how it allows the balance between 
the level of abstraction used and the tractability of analysis to be explored. 


An alternative approach for abstracting MVNs is to reduce the num- 
ber of regulatory entities in an MVN while ensuring the preservation of key 
properties (see [21, 37, 22]). This approach seems to be complimentary to 
the one developed here and we are currently investigating combining these 
ideas. Another possible abstraction approach would be to make use of re- 
sults on modelling MVNs using Petri nets [11, 3, 4, 8] and to then apply 
Petri net abstraction techniques (see for example [31, 19, 38]). Such an ap- 
proach appears promising from an analysis point of view but problematic in 
that the resulting Petri net abstraction may not be interpretable as an MVN 
and so force the modeller to explicitly use a different modelling formalism. 


One interesting area for future work is to investigate automatically 
constructing abstractions for a given MVN and abstraction mapping. Some 
initial work on restricting the search space for such abstractions was pre- 
sented at the end of Section 3 but more work is needed here. One idea is 
to consider developing refinement techniques similar to those of CEGAR 
(Countererample Guided Abstraction Refinement) [10] and other abstrac- 
tion refinement techniques [24]. Closely linked to this idea is the notion of 
a maximal abstraction, that is an abstraction which captures the largest 
possible behaviour of the original MVN with respect to all other possible 
abstractions for the given abstraction mapping. In future work we intend 
to investigate developing such a notion and in particular, consider how to 
automate the construction of such maximal abstractions. 
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